Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   HJT- und eScan-Log (https://www.trojaner-board.de/23686-hjt-escan-log.html)

pyrates 15.11.2005 23:23
HJT- und eScan-Log
 
Tag, ich hatte mir eben ein Javascript-Virus Dldr.Delf.NK2 eingefangen. Allerdings war ich als User mit eingeschränkten Rechten unterwegs und mein Antivir hat das Virus erkannt und gelöscht. Hier noch ein HJT-Log aus dem normalen Modus und ein eScan-Log aus dem abgesicherten Modus:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:33 PM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Logitech MouseWare\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Stuff\Downloads\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130338490906
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe




eScan
Tue Nov 15 22:16:44 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Tue Nov 15 22:16:44 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Tue Nov 15 22:16:45 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\powerstrip !!!
Tue Nov 15 22:16:45 2005 => Object "powerstrip Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Nov 15 22:16:45 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\powerstrip !!!
Tue Nov 15 22:16:45 2005 => Object "powerstrip Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Nov 15 22:16:46 2005 => Offending file found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cmdlineext02.dll
Tue Nov 15 22:16:46 2005 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.

Tue Nov 15 22:16:46 2005 => Offending file found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\war3_install.exe
Tue Nov 15 22:16:46 2005 => System found infected with whenu.savenow Spyware/Adware (war3_install.exe)! Action taken: No Action Taken.

Tue Nov 15 22:16:47 2005 => Offending Folder found: C:\Documents and Settings\Administrator\Start Menu\programs\powerstrip
Tue Nov 15 22:16:47 2005 => Object "powerstrip Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Nov 15 22:16:47 2005 => Offending Folder found: C:\Documents and Settings\Administrator\Start Menu\Programs\powerstrip
Tue Nov 15 22:16:47 2005 => Object "powerstrip Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Nov 15 22:16:47 2005 => Offending file found: C:\Documents and Settings\Administrator\Local Settings\temp\cmdlineext02.dll
Tue Nov 15 22:16:47 2005 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.

Tue Nov 15 22:16:47 2005 => Offending file found: C:\Documents and Settings\Administrator\Local Settings\temp\war3_install.exe
Tue Nov 15 22:16:47 2005 => System found infected with whenu.savenow Spyware/Adware (war3_install.exe)! Action taken: No Action Taken.

Tue Nov 15 22:16:47 2005 => Offending file found: C:\Documents and Settings\Administrator\Local Settings\temp\{f5f0d957-735f-4ef8-9956-1972efc33840}\{6e495ddc-eb85-4eed-8cfa-4c0fd30be0b1}\common.dll
Tue Nov 15 22:16:47 2005 => System found infected with cydoor Spyware/Adware (common.dll)! Action taken: No Action Taken.


Tue Nov 15 22:16:50 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Tue Nov 15 22:16:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\CTDetect.cpl". Action Taken: No Action Taken.

Tue Nov 15 22:16:51 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\pxwma.dll". Action Taken: No Action Taken.

Tue Nov 15 22:16:51 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.

Tue Nov 15 22:16:52 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Createcd50.exe" refers to invalid object "C:\Program Files\Common Files\Adaptec Shared\CreateCD\createcd50.exe". Action Taken: No Action Taken.

Tue Nov 15 22:16:52 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\Program Files\Your Company Name\WinFast(R) Display Driver\yourapp.Exe". Action Taken: No Action Taken.

Tue Nov 15 22:16:53 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Program Files\CPUInfo\". Action Taken: No Action Taken.

Tue Nov 15 22:16:53 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Motherboard Monitor 5_is1". Action Taken: No Action Taken.

Tue Nov 15 22:16:54 2005 => Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.

Tue Nov 15 22:16:55 2005 => Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.

Tue Nov 15 22:16:55 2005 => Entry "HKCR\CLSID\{F50B3F10-19C4-11CF-AA9A-02608C9BABA2}" refers to invalid object "C:\WINNT\system32\filter.ax". Action Taken: No Action Taken.

Tue Nov 15 22:16:55 2005 => Entry "HKCR\.pot" refers to invalid object "Powerpoint.Template". Action Taken: No Action Taken.

Tue Nov 15 22:16:55 2005 => Entry "HKCR\.ppt" refers to invalid object "Powerpoint.Show.7". Action Taken: No Action Taken.

Tue Nov 15 22:16:56 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Tue Nov 15 22:16:56 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Tue Nov 15 22:16:57 2005 => Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Tue Nov 15 22:16:57 2005 => Entry "HKCR\W3Chart\shell\open\command" refers to invalid object "D:\Stuff\DOWNLO~1\w3chart.exe "%1"". Action Taken: No Action Taken.


Etwas Spyware war dabei, werd mich gleich ans Entfernen dieser machen. Was mich allerdings etwas wundert ist, dass Powerstrip als Spyware gemeldet wird...
Und wie kann man die alten, ungültigen Registry-Einträge entfernen?
Vielen Dank im Voraus.

dartus 15.11.2005 23:39
Hallo,

für die "Temp"-Dateien --> clearprog 1.4.1 final
für die Registry-Einträge --> Regseeker

dartus


Alle Zeitangaben in WEZ +1. Es ist jetzt 18:50 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131